Information Security, IoT and Cloud Computing

IoT is all about connecting devices and machines to the Internet who can talk to each other, collect and share data, analyze the data, and bring business value out of data analytics. A fair argument is that we have been using sensors and devices to collect and analyze data for a very long time (at least for 2-3 decades), like industrial control systems and SCADA networks. Then why there is so much hype about the Internet of Things as the concept is not entirely new?

This is true! Sensors, networking, data collection, and data analysis has been going on for quite some time. However, what is really new and exciting now is as follows:

Cost of Building Sensors and Devices – In the past, sensors were very costly and we could use these for limited purposes only due to lack of a good business case. Now the cost of sensors has gone down drastically and it is very easy to build devices to collect data.

Availability of Wireless and Mobile Technologies like LTE – In the past it was very difficult and costly to connect remote sensors and devices. The networks to connect devices were either not available or had very low bandwidth and high latency. With the availability of new technologies, this situation has changed drastically and networks are available everywhere and at a very low cost.

Two Way Communications to Make Decisions and Take Actions – In the past typical data collection was one way and in many cases it was not real time. It was difficult to have two-way communication to take actions on data. With the availability of new networks and powerful devices, realtime two-way communication has become a reality and it is making use of IoT more interesting.

User Interface and Mobile Apps – Many of the IoT technologies of today rely on apps built for mobile devices that provide an easy user interface. That was not the case just few years back.

Availability of Low Cost, High Bandwidth Networks to Transmit Data – For massive data collections, the overall cost of network to transmit data to data processing centers has gone down. While we did talk about wireless networks earlier, this is more about data transmission in bulk.

Cloud Based Processing and Storage for Data Analytics – Cloud Computing now provides on-demand machines for processing and storing data which makes scalability achievable. Building infrastructure was an issue in the past.

Common Business Applications and Use Cases – Many new use cases of IoT technologies have emerged starting from home technologies to smart cities and smart grids, to healthcare and so on.

Open Source API, Tools, Protocol Standardizations – Open source technologies and standardization of protocols is also playing a role in wider adoption of IoT. Now people can build devices and applications that can work across a wider range of vendors.

These are just some of the reasons why IoT is getting popularity and wider adoption although the concept is not entirely new. Adoption of IPv6 addressing, especially in wireless networks, is also lifting limitation on the number of machines that can be connected to the Internet.

However, before venturing into the IoT bandwagon, it is important that companies work on building their own IoT frameworks that encompass device management, end-to-end data paths, security, encryption, storage, analytics, and use cases.

Building an IoT framework is a key to make IoT initiatives successful and achieve business value.

When it comes to training and development of workforce, Organizations have been relying on different companies, life coaches, executive consultants, and training gurus. Given the knowledge economy we live in, exploring new ideas about learning, training and development is imperative for the growth of business. This article is great to answer some of the common questions and misconceptions.

Like this:

Software Defined Networking or SDN brings a paradigm shift and new promises about how networks are designed and operated. The biggest change is separating the control plane from the data forwarding plane, which, in the current network paradigm are tied together on the same box. This will allow not only ease of management from a centralized location but will also make plumbing of new protocols easy.

While SDN is focussed on networking, it also brings added advantages for information security, some of which are listed below.

For SDN networks, security can be baked into network forwarding plane, whereas it is an add-on feature in traditional networking.

Like this:

As the InfoSec landscape changes constantly, so do the responsibilities of a CISO. Virtual Security Appliances are becoming more common in the Cloud environment. Similarly IoT and Software Defined Networking (SDN) is picking up steam and can’t be ignored by a CISO.

As many of you know, I have been publishing CISO Mind Map for a number of years. The last update was made in December 2014. I have added/updated some items based upon the latest industry trends and changes in the technology landscape, although a major part of the Mind Map is the same.

Permission to Use – Like always, permission to non-commercial use of this Mind Map is granted as long as proper citations and references are provided. Any trademarks or service marks used in the Mind Map are the property of their respective owners.

PDF Download – PDF Download of the Mind Map is available at this link.

Like this:

The Verizon 2015 DBIR just released today, and as someone said. It is “the best” DBIR ever. The report provides a number of important findings and new data analysis especially around the cost of data breaches. The report contains analysis of 2122 confirmed data breaches and 79790 security incidents. It is available for download from http://www.verizonenterprise.com/DBIR/

So what is new? Here is a summary:

There were 70 partners contributing to this data set. Compared to last year when 50 partners contributed to DBIR 2014, this is 40% increase.

Like 2014 DBIR, a vast majority of security incidents (96%) still fall into nine major categories.

There is a significant hype about mobile threats. However, the data shows that mobile threats are not playing a significant role in real data breaches yet.

Verizon created a new model for estimating cost of data breaches, which comes out to be 58 cents per stolen record.

Verizon analyzes top three threats for different industry segments.

The “detection deficit” is still playing a huge role in data breaches. This means the attackers are getting smarter but defenders are not making much progress.

Phishing is playing a big role. People open about 23% of phishing emails and about half of them open attachments.

This year’s data breach is better than ever with more contributors to the data set and new recommendations from Verizon to detect breaches early, minimize the damage, and better respond to security incidents. This is a “must read” for information security professionals.

Like this:

There are almost as many information security reports out there as the number of security vendors. Keeping up to date about these reports could be a challenge and sometimes these reports may become an information overload for security professionals.

Verizon Data Breach Investigations Report (DBIR) provides the largest data set and trends analysis for data breaches. Other reports also provide useful information if one knows where and what to look for and which reports are relevant.

We can place these reports in the following major categories:

Reports Based Upon Data – Reports based upon real data collected from the field

Survey Reports – Reports based upon surveys and opinion of security professionals

Technology Specific Reports – Some reports that are specific to certain technologies like DDoS, or Web Applications

Research Reports – Examples include Ponemon Institute’s report on cost of data breaches

Following is a summary of some of these reports.

Verizon DBIR

Verizon Data Breach Investigations Report or DBIR is the leading source of data on data breaches and is based upon investigation performed by Verizon and a large number of Verizon partners. Verizon uses VERIS (Vocabulary of Event Recording and Incident Sharing) framework to collect and analyze data. VERIS, a free framework designed by Verizon, is being used by many organizations. The report is a must read and very well respected in information security profession. It analyzes trends and provides recommendations to stop data breaches, early detection, and reducing cost if a data breach does happen.

Symantec Internet Security Threat Report

The report notes numerous ways Symantec collects data used for this report (combination of data from Symantec products, managed services, and third party data sources). Symantec also uses its vulnerability database, spam, phishing, and malware data according to this report. The report analyzes these data sources and has useful information.

McAfee Labs Threat Report

“Millions of mobile app users are still exposed to SSL vulnerabilities”, states the latest McAfee Labs Threat Report. Like Symantec, McAfee also collects data from a large install base of its products across the globe. McAfee Labs, which is part of Intel now, delivers this report based upon analysis of this data.

McAfee report covers some specific topics and statistics and is an interesting read for InfoSec professionals.

RSA Breach Readiness Report

RSA Recently published an e-book to identify gaps in breach readiness. This report is based upon interviews and opinions of executives from large number of organizations. The report shows gaps in areas of (a) incident response, (b) content intelligence, (c) analytics intelligence, and (d) threat intelligence. The report notes that people and processes are more important than the technology when it comes to incident response.

Trustwave Global Security Report

Trustwave global security report is based upon data collected by Trustwave from its own intelligence gathering and investigations. The report shows trends of data breaches based upon Trustwave’s data set.

FireEye and Mandiant Reports

FireEye and Mandiants also publish their reports. The latest 2015 M-Trends Report provides some interesting statistics about the state of information security. This reports shows trends that FireEye is seeing in the marketplace. It also includes a detailed case study.

Imperva Web Application Attack Report

Web applications attack report is very interesting for those who are interested in web applications security. I would strongly recommend reading Imperva report which shows web application attack methods and analysis. It provides analysis of attack vectors and issues with different technologies/frameworks.

Arbor Networks DDoS Reports

Arbor Networks report on DDoS is a good read for people focused on network security.

Conclusions

A number of other reports are available from vendors like Cisco, PwC, E&Y. I have included some URLs for these reports below. With so much information being put forward from different vendors, it may feel like information overload. Information provided in these reports is helpful depending upon one’s interests and needs. However, each business is different and care must be exercised in using the data provided by these reports in a specific context.

Like this:

SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis is an industry standard way of analyzing current situation (marketing, business strategy, risk assessment, etc). In many cases, SWOT analysis provides foundation for creating business strategy. Following is a short description of how we can use it as a tool for creating InfoSec strategy and for executive briefings.

Following is a sample SWOT analysis for a security organization. While this is a reasonable template to perform SWOT analysis, one may have to make some changes and tweaks to make it suitable for a specific organization.

Note that opportunities may include items that can be implemented in short-term and that may utilize existing investments in technology or processes.

Using SWOT Analysis Tools for Executive Briefing

Typically the SWOT analysis chart can be reviewed by the key InfoSec leaders to identify and put different items into appropriate categories (internal vs external or helpful vs harmful). Once the SWOT analysis is complete, it can also be used as a tool for executive briefings and explain InfoSec strategy to corporate leadership.

The role of CISO, and other InfoSec professionals, has morphed into a critical business function. One should expect getting involved in “business” discussion often, and at higher levels. Understanding and speaking business language is more important than ever for success of any InfoSec professionals. Knowing basic business lingo is also crucial for effective communication inside an organization.

Following is a list of basic terms that every InfoSec professional should understand, at least at a basic level. It is a draft list and I intend to update it later on. However, it provides a good starting point. Clicking on the links will take a reader to the relevant Wikipedia pages for more information.

In addition to the above, there are many other terms specific to different industry sectors. For example, insurance industry has its own terminology like “liability coverage” that an InfoSec professional should learn. Same is true for manufacturing, banking, retail, government, and other industry sectors.

I am sure I may have missed many others. If a reader feels strong about any terms (or categories) that should be part of this list, please send your suggestions. Download PDF Version of this Mind Map from this link.

Like this:

IDC (and other analysts) predict information security, threat intelligence, data analytics, hunting, among others, are expected to grow and become more important part of a CISO’s strategy in 2015 and beyond.

If one has money and backing of a large organization, it is very tempting to build an internal security operations center (SOC) that embodies items listed above. The following mind map is just to make sure that people understand what they are getting into, and think pros and cons of building an internal SOC.

Like everything else in technology, a typical SOC will require three things:

Technology – Most firms can buy it given sufficient amount of money.

People – Arguably many firms can hire required people given sufficient amount of money. Keeping them, however, is another matter.

Processes – SOC requires mature processes. Most of the companies struggle with this. An experienced firm can be very helpful in this area.

Even before getting into the discussion of people, process and technology, if one can’t answer the “Why” part of building a SOC with sufficient convincing detail, please don’t start. That is the reason I highlighted this part in the mind map.

Like this:

Many people have asked for PDF version of CISO Mind Map so that they can print it. I am attaching three PDF sizes, all of these are at 300 dpi resolution. Choose whichever you like and print it. While printing, you can also select “scaling” to make the print even bigger (depending upon your printer). Use one of the following links to download the PDF files.